Enumerate Object Permissions

Enumerate Object Permissions

List of possible permissions: 

GenericAll: Full permissions on object
GenericWrite: Edit certain attributes on the object
WriteOwner: Change ownership of the object
WriteDACL: Edit ACE's applied to object
AllExtendedRights: Change password, reset password, etc.
ForceChangePassword: Password change for object
Self (Self-Membership): Add ourselves to for example a group
# to enumerate ACEs with PowerView for a user.
Get-ObjectAcl -Identity <Username>
# Example: Get-ObjectAcl -Identity stephanie

# In short, we are interested in the ActiveDirectoryRights and SecurityIdentifier for each object we enumerate going forward.
# we should enumerate all objects the domain (Group).
# Way to enumerate the needful.
Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
# above output will give result in SID form.

# Below is way to convert to name.
"S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104","S-1-5-32-548","S-1-5-18","S-1-5-21-1987370270-658905905-1781884369-519" | Convert-SidToName
LogoAbusing Active Directory ACLs/ACEs | Red Team Noteswww.ired.team
Short cut to list user with generic all permissions

Instead of checking object permissions for all groups, only check permissions for groups containing users we have access to.

PreviousEnumerate through Service Principal NamesNextExplore Domain Shares

Last updated